On Fri, 12 Mar 2010, Dennis B. Hopp wrote:
describe FORGED_YAHOO Yahoo with non-Yahoo Reply-to address
header __FORGED_YH1 From =~ /\...@yahoo\.com/i
header __FORGED_YH2 Reply-to =~ /\...@yahoo\.com/i
meta FORGED_YAHOO (__FORGED_YH1 && !__FORGED_YH2)
The problem with this is that the !__FORGED_YH2 matches
when there is *NO* Reply-To header at all!
You need something like this:
header __FORGED_YH2 Reply-To =~ /\@([^y]|y[^a]|ya[^h]|yah[^o])/i
meta FORGED_YAHOO (__FORGED_YH1 && __FORGED_YH2)
(remove the negation from the meta)
This directly tests for an existing Reply-To specifically to a domain
that does not begin with 'yaho'.
However, keep in mind that the headers for *this* mailing list would
trigger your rule. So you will also need to meta this with a rule that
tests for yahoo mail server being the sending SMTP client....
Gets tricky, doesn't it?
- C